Ambient: Document that PeerAuthentication mTLS.Mode = DISABLE is a no-op in ambient #14789
Labels
area/ambient
area/networking
area/security
area/user experience
good first issue
Indicates a good first issue for new contributors
In sidecar, it used to be possible to globally disable mTLS for all workloads at the cluster or namespace level with PeerAuthentication.
In ambient, you can still create a PeerAuthentication policy at the mesh or namespace level that uses DISABLE, but it will be ignored. This is by design, as we do not support DISABLE in ambient - it is effectively an alias for PERMISSIVE.
If you want to drop mTLS for an entire namespace, unlabel the namespace for ambient capture instead, e.g.
kubectl label namespace default istio.io/dataplane-mode-
We need to document this behavior, however.
The text was updated successfully, but these errors were encountered: